Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
Still wrong, No DoS. The server responds to further requests, after the dialog
box appears:
192.168.1.5
hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1"
500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico
HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200
2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET
/icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET
/icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET
/icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET
/icons/Pi3Tile.gif HTTP/1.1" 200 1866
Some explanation:
In desktop mode the application is interactive, but when installed as a system
service it isn't.
Of course the preferred installation for a production server ist a system
service. On the other hand, the (interactive) desktop application is the choice
for web application development.
Finally the ISAPI example (!!!) files can be deleted or a simple filter in the
server configuration can be used in order to hide these files:
1.) either extend the mapping directive:
Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))" ISAPIMapper
From="/isapi/" To="Isapi\"
or 2.) extend the ISAPI handler object:
CheckPath Condition="¬(&or(®exp('*.dll*',$U),®exp('*.dll',$f)))"
StatusCode StatusCode="404"
Both filters for example URL http://hz/isapi/users.txt return a HTTP status 404.
This is simple configuration work as described in the server documentation. So
what? I still cannot see any reason for a DoS vulnerability in this case.
Honestly, I don't believe that someone publishes the ISAPI (or CGI) examples
delivered and installed with the server in an internet environment. The default
configuration template for internet is internet.pi3 and this is of course
without ISAPI mapping per default.
Finally there's still the fact, that wrong (server version) and incomplete
(installation options, OS version) information has been posted without giving
me the chance for analysis. I'm the only person in the Pi3Web project and I do
this in my rare spare time (normally at the weekend).
--
regards,
Holger Zimmermann